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The term software defined networking (SDN) is a network model that 
contributes to redefining the network characteristics by making the 
components of this network programmable, monitoring the network faster 
and larger, operating with the networks from a central location, as well as 
the possibility of detecting fraudulent traffic and detecting special 
malfunctions in a simple and effective way. In addition, it is the land of 
many security threats that lead to the complete suspension of this network. 
To mitigate this attack this paper based on the use of machine learning 
techniques contribute to the rapid detection of these attacks and methods 
were evaluated detecting DDoS attacks and choosing the optimum accuracy 
for classifying these types within the SDN, the results showed that the 
proposed system provides the better results of accuracy to detect the DDos 
attack in SDN network as 99.90% accuracy of Decision Tree (DT) 
algorithm. 
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1. INTRODUCTION 

Software defined networking (SDN) specified by the process of defining the software by separating 
the level of control from the level of data. SDN networks is the model that contributes to addressing the 
limitations of traditional network design [1], where it consists of three main levels: the private level is the 
data plane device, the level of the controller, and the level of the application. Depending on the controller's 
preference, the data plane carries network traffic. To decide traffic flow, the control plane computes routing 
tables [2]. A group of other applications that are dealt with, such as load balancing, firewalls, and quality of 
service applications [3], which SDN networks contribute to improving their performance by separating the 
control units and their functions in the network from the statement generating units [4]. Control applications 
running on a logically centralized controller will regulate several routers in the network [5]. 

Applications can only access the complete network's information via the SDN. Load balancing and 
intrusion detection are much easier when many apps are integrated [6]. The application instructs the 
controller to reprogramme the data plane whenever an abnormality is identified [7]. Where these devices 
within the network contain special open interfaces that are managed by software, therefore the control and 
data planes run on routers dispersed across the network [8]. 

It is possible to reconfigure several devices simultaneously in SDN architecture. Configuring 
network devices is done at this tier using the application layer [9]. The SDN architecture's control layer 
(control plane) consists of a single controller. APIs are used to communicate between the two levels [10]. 
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DDoS attacks have a significant influence on the SDN's uptime. DDoS assaults have the greatest 
effect on the SDN controller since it is the most vulnerable point of failure. When it comes to SDN, there is 
only one point of failure: the centrally controlled controller. The data plane and control plane use a secure 
south-bound link to exchange messages. Even a little amount of channel congestion may cause enormous 
delays in the network. 

Mehr et al. [11] a tree network architecture, they use the mininet emulator to conduct a DDoS attack 
on the ryu controller. Using a machine learning technology, support vector machines (SVM), they identify 
DDoS attacks via the installation of flows in switches and evaluate the time attack pattern of the DDoS 
assault when determining their detection. Using our detection technology, we were able to minimize the 
impact of DDoS assaults on the Ryu controller by 36%. 

Rahman et al. [12] DDoS attacks in an SDN network were detected and blocked using a variety of 
machine learning algorithms, including J48, RF, SVM and K-NN. Complete reliance on a script that 
contributes to the process of mitigating, preventing and reducing attacks and their impact on SDN networks 
using the model that was trained and selected as the best fit for the proposed network during the assessment 
phase. The findings revealed that J48 outperformed the other algorithms, particularly in required time for 
training and testing states. 

Sun et al. [13] proposed a way for SDN controllers to identify DDoS attacks in real-time. Entropy is 
initially used after an abnormal notification is provided, the DDoS attack feature in the SDN environment is 
studied to extract critical features linked to the attack. Flow entry of open flow switch is retrieved. 
Classification of real-time traffic in order to identify DDoS attacks is made with ANN method called 
BiLSTM-RNN. When compared to other approaches, this one has the ability to identify DDoS attacks and 
minimize controller overhead in an SDN context more effectively. 

Dehkordi et al. [14] they suggested a unique method for identifying DDoS attack in SDN. This 
method's three collectors are entropy-based and classification-based. The UNB-ISCX, CTU-13, and ISOT 
datasets, the results suggest that the used method outperforms the competition in detecting SDN-DDoS 
threat. 

Chen ef al. [15] a multi-layer IoT DDoS attack detection based on M.L is suggested, which 
comprises IoT devices, gateways, SDN switches, and cloud servers. As a first step, they install eight sensor- 
equipped smart poles across the campus, collecting data from each one through wired or wireless networks. 
Then, depending on the sort of DDoS assault, they extract the characteristics. The used system was capable 
of properly detecting DDoS assaults in our tests. In addition, the used IoT DDoS assault detection system's 
blacklists may be used by the SDN controller to efficiently block harmful devices. 

Sen et al. [16] on a private network dataset in an SDN setting, AdaBoosting was employed as a 
basic classifier with decision stumps. The model exhibited a 93 percent detection accuracy and a low false- 
positive rate. They reported their findings after evaluating and comparing the model's performance with 
several M.L approaches. 

Tan et al. [17] the SDN DDoS environment detected and countered using this technology. First, they 
use the detection state for DDoS on the data layer to monitor the network for unexpected flows. They identify 
abnormal flows based on the detection trigger mechanism and the rate asymmetry characteristics of the 
streams were relied upon using the machine learning approach based on K-Means and K-nearest neighbors 
(KNN) algorithms. Finally, the controller will react to the assaults by implementing the appropriate 
countermeasures. New framework for control plane and data plane cooperative detection techniques they 
successfully enhance detection accuracy and efficiency while preventing SDN threats. 

Ahmad et al. [18] SDN DoS and DDoS attacks may be mitigated using machine learning methods. 
In order to derive key implications relying on security detection based on machine learning algorithms for 
future communication networks and evaluating these methods based on the controller and the extent of their 
impact on them by DDOS. The SVM's accuracy was determined to be 97.5%. 

Ahuja et al. [19] use a variety of deep learning algorithms to categorize traffic into normal and 
harmful groups depending on the characteristics in the dataset with one classes. According to the findings, 
using the SAE-MLP produced an accuracy score of 99.75%, the maximum possible. In this paper, improving 
the security of DDoS attack detection in SDN controller based on machine learning techniques has been 
proposed. It is totally presented as follows: 1. introduction, 2. the proposed method, 3. method, 4. results and 
discussion, and 5. conclusion. 


2. THE PROPOSED METHOD 

The proposed security of SDN controller with DDoS attack executed with the three main stages and 
it based on the three machine learning algorithms, which they are mentioned above and the system stages as 
follow: i) Stage one: data pre-processing on full data set to transform the row data of dataset in a useful and 


DDoS attack detection in software defined networking controller using machine (Abbas Jasem Altamemi) 


2838 0O ISSN: 2302-9285 


efficient format; ii) Stage two: data classification depending on the machine learning classifiers; iii) Stage 
three: using machine learning algorithms and find results. 
a. System implementation 

The used system was implemented based on an environment based on the following specifications 
Table 1. Besides, the code of proposed the system has been written in python programming language. 


Table 1. Environment specifications for the proposed system 


Operating systems Windows 10 
CPU Core (TM) 15-3630 
RAM 16.00 GB 
Implementation Tools Python, Cloud Azure 


b. Proposed approach 

The proposed approach based on the three machine learning algorithms and the used dataset as real- 
time traffic dataset, it provides the most up-to-date and benign frequent DDoS assaults, which closely reflects 
the real-time data (PCAPs). The data traffic analyzed with CICflowmeter-V3 according to the labeled state 
for time stamp, addresses of source IP /destination IP, ports, protocols, and security issues methods are also 
included (CSV files). 

A set of evaluation scales was relied upon, based on the concept of the confusion matrix, where a set 
of equations with a special description was relied upon as in (1) to (6). 

1. Precision: it is the TP number divided by TP and FP numbers. It computed based on (2) [20]. 


Precision = 


(1) 


TP+FP 


2. Accuracy: it is the correct predictions divided by the total predictions number. It calculated based on (2) [21]. 


TP+TN 


Accuracy = ———__—_- 
Y = IP+TN4FP + FN 


(2) 
3. Recall: itis TP number divided by TP with FN numbers. This metric can be computed based on (3) [22]. 


Recall = —— (3) 
TP+FN 
4. F-measure: It is one of the statistical analysis methods for measuring the accuracy of the test, as it is 
based on the accuracy of the test and its retrieval, depending on the accuracy resulting from the real 
positive results divided by the number of all positive results, including those that have not been 
correctly determined. An of this metric can be computed based on (4) [23]. 


(2*TP) 


F — Measure = —————— 
(2*TP+FN+FP) 


(4) 


5. Detection rate (DR): It measures of identified positive (anomaly) iteams from all the actual positive 
instances. This metric can be computed based on (2.6) [24]. 


Detection Rate(DR) = oe (5) 


6. False alert rate (FAR): it represents the proportion of negative prediction; this is mistakenly considered as 
positive (anomaly) for all negative predictions. The lower value is the better. This metric can be 
computed based on (6) [25]. 


False Alert Rate(FAR) = = (6) 


The confusion matrix as shown in Table 2 is a matrix used to describe the classification performance 
based on the test data. 
- TP: It denotes to proper classified values. 
- FN: It showed incorrectly classified. 
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- FP: It showed the negative values incorrectly predicted and classified. 


- TN: It showed negative instances which properly predicted by the classification model [26]. 


Table 2. Confusion matrixes 


Confusion Matrix Predicated Class 
Positive + Positive + 
Actual Class Positive + TP 
Negative - FP 


3. METHOD 


m) 


2839 


The used method based on LR, NB, DT machine learning algorithms and the main steps showed in 
Figure 1. The proposed matching strategy based on the matched the incoming request real-time from the 
nodes compared with the trained classifier stored data behavior as (SDN specific dataset generated by using 
mininet emulator and used for traffic classification by machine learning). It compared the source, destination 
IP, and MAC addresses if the incoming request has the authorized values as matched it will wait for process 
and classified as the normal traffic. In addition, the proposed trained model can classified as attack traffic if it 


is not matched packet details with the stored behavior, which matched, in the first step. 


Start 


v 


= 
Real-Time Dataset 


Vv 


Data Pre-processing 


Data Cleaning, Label Encoding, Normalization, Feature 
Selection 


H 


Training 70% Testing 30% 


v 


Machine Learning (LR, NB and DT) 
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v 


Real-Time Matching strategy 
(DDoS Classification) 


Evaluation Results 


Figure 1. The proposed machine learning system model 


4. RESULTS AND DISCUSSION 

The proposed system implemented in online state to test and evaluated incoming request directly 
after different of operation matching incoming requests as DDos attack traffic or normal data traffic. The 
results calculated based on three-machine learning algorithms are logistic regression (LR) algorithm, Naive 
Bayes (NB) algorithm, and Decision Tree (DT) algorithm. The proposed algorithms build implicit or explicit 
models from the given data to build systems that can learn from data without being programmed, which it 


helps to find the hidden patterns and leads for better insights. as showed in Figure 2. 
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DDoS Attack Detection Methodology 


ML ML ML 
Logistic Regression (LR) | | Naive Bayes (NB) | | Decision Tree (DT) 


Figure 2. The used machine learning algorithms 


4.1. The 1* case study 

The Ist case study based on the logistic regression (LR) to build a model for detecting DDoS attacks 
from the training and testing SDN environment by providing a linear categorization model to demonstrate a 
likelihood of a group Y set a feature-vector X. This is done via utilizing a logistic methods to discover a 
relation between the class and the feature vector. It supposes the distribution P (Y|X), here Y is the class and 
X is the feature-vector, is on a borderline shape and after that demonstrates it from the training data. Table 3 
shows the accuracy and time details with the confusion matrix evaluated parameters as false positive rate and 
false negative rate of DDoS attack detection in SDN controller based on the LR. Besides, there are other 
evaluation metrics Table 4, Figure 3 of the proposed system based on LR classifiers. 


Table 3. The results of LR algorithm for DDoS attack detection case study 
Method Name Accuracy False Positive Rate False Negative Rate Time 
Logistic Regression (LR) 72.65% 0 71511 7.844 sec 


Table 4. Evaluation Details of the DDoS attack detection with LR 
Machine Learning Algorithms 
Logistic Regression (LR) 


Evaluation Parameters 


Precision 0.73 
Recall 1.0 
F-Measure 0.84 
Detection Rate (DR) 0 
False Alert Rate (FAR) 0 
TP Rate 0 
TN Rate 190633 
i2 LR Evaluation Metrics 


Evaluation V alues 


‘ 0 0 
o S 5 a 
LR 

II Precision Recall #F-Measure =DR ‘FAR 


Figure 3. Precision, recall, F-measure, DR and FAR of LR case study 


4.2. The 2™ case study 

The 2™ case study is based on the naive bayes (NB) algorithm as a technique of naive bayes 
classifier depended on the so-called bayesian theorem to classify the traffic as normal and abnormal of DDoS 
attack in SDN. In spite of its simplicity but can superior to many sophisticated classification methods. It is 
possible to describe the used model classifier as a machine learning model that is used to discriminate 
between various objects based on certain characteristics. When it comes to machine learning, The 
probabilistic model naive bayes is used in the classification task. Table 5 show the main used NB evaluation 
metrics of DDoS attack detection, besides, there are other evaluation metrics show in Table 6, Figure 4 of the 
proposed system based on NB classifiers. 
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Table 5. The results of NB algorithm for DDoS attack detection case study 
Method Name Accuracy False Positive Rate False Negative Rate Time 
Naive Bayes (NB) 52.88 % 123371 0 1.910 sec 


Table 6. Evaluation details of the DDoS attack detection with NB 
Machine Learning Algorithms 
Naive Bayes (NB) 


Evaluation Parameters 


Precision 1.0 
Recall 0.35 
F-Measure 0.52 
Detection Rate (DR) 1 
False Alert Rate (FAR) 0.647 
TP Rate 71511 
TN Rate 67262 
22 ; NB Evaluation Metrics 
| 1 4 
1 | 
Ż os | 
E os | 
2 04 | 0.35 
E o2 | AJ 
o | 
NB 
II Precision N Recall #F-Measure DOR i: FAR 


Figure 4. Precision, recall, F-measure, DR and FAR of NB case study 


4.3. The 3 case study 

It is based on the decision tree (DT) algorithm and is used in SDN networks to automatically identify the 
classification approach as it consists of a group of nodes located inside the trees. which are pre-classified based on 
branches and a weighted test scale. It is possible to classify an integrated text document starting from the root, 
depending on the structure of the query, until a specific page is reached within the system. Table 7 shows the 
accuracy rate and required time to build a model of the DT algorithm. Besides, there are other evaluation metrics 
shown in Table 8 and Figure 5 of the proposed system based on DT classifiers. 


Table 7. The results of DT algorithm for DDoS attack detection case study 
Method Name Accuracy False Positive Rate False Negative Rate Time 
Decision Tree (DT) 99.90 % 0 0 11.919 sec 


Table 8. Evaluation details of the DDoS attack detection with DT 
Machine Learning Algorithms 
Decision Tree (DT) Algorithm 


Evaluation Parameters 


0.01 


Precision 1.0 
Recall 0.99 
F-Measure 0.99 
Detection Rate (DR) 0.99 
False Alert Rate (FAR) 0.01 
TP Rate 71511 
TN Rate 190633 
12 DT Evaluation Metrics 
1 1.0 0.99 0.99 0.99 
E 0.8 
= 
g 06 
E 0.4 \ 
B o2 


o 
DT 


Ill Precision “Recall %F-Measure DR «FAR 


Figure 5. Precision, recall, F-measure, DR and FAR of DT case study 
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The proposed system compared with the different case studies and with other related works. Table 9, and 
Figure 6 showed the system comparison among the proposed machine learning algorithms. Furthermore, the 
proposed system compared with related works as in Table 10. In addition, the system comparison with the 
other related works the Table 10. The better accuracy result of the proposed system of all case studies are 
showed in the case of DT as 99.90%. 


Table 9. Evaluation details of the used machine learning in DDoS attack detection in SDN environment 
Machine Learning Algorithms 


Evaluation Parameters 


LR NB DT 
Accuracy 72.65 52.88 99.90 
r 120 Accuracy Evaluation Metric 999 
= 100 
os 
Z a 72.65 
= 60 52.88 
= 
= 40 
3 
A 20 
o — — _ 
LR NB DT 
3 Accuracy 


Figure 6. The proposed system accuracy comparison 


Table 10. The results of proposed system with the DDoS attack of SDN compared systems 


Ref.No Year Dataset Method Name Accuracy 
: ; Support-Vector-classifier with 98.8 % 
[20] 2021 Real-Time dataset using RYU API- ce eae ia t (SVC-RF) 
Minnet Logistic Regression (LR) 83.69% 
Decision Tree (DT) 78 % 
[22] 2021 KDD99 dataset Support vector machine 85 % 
(SVM) 
CICIDS2017 dataset V-NKDE (Voting -Naive 99.67 % 
[23] 2021 KDD dataset Bayes, K Nearest Neighbors, 99.77 
UNSW-NB15 dataset Decision Tree, and Extra Trees) 98.09 
Logistic Regression (LR) 72.65 % 
Proposed system Real-Time DDoS attack Classification Naive Bayes (NB) 52.88 % 
Decision Tree (DT) 99.90 % 


5. CONCLUSION 

The impact of the DDoS is one of the great influences on the network, which may lead to its 
complete disruption if not dealt with correctly, as these attacks become more complex and are able to easily 
bypass many traditional protection techniques. Machine learning techniques are being implemented in SDN 
to overcome network security issues. DT, NB, and LR algorithms are used to build implicit or explicit 
models from the given data to build systems that can learn from data without being programmed, which it 
helps to find the hidden patterns and leads for better insights. It is also possible to increase the effective 
features of this network by relying on M.L, which contribute to the process of intelligent mitigation of attacks 
that cause DDoS attack. The best results of the machine learning algorithm was DT as 99.90% accuracy 
compared with the other algorithms. 

Future work will involve the development of a mitigation module for the attacks explored in this 
study. Designing a mitigation plan that is both effective and economical requires addressing various issues, 
including how to close all suspicious communications utilizing SDN's programmability capability, such as 
placing blocking rules in edge switches. Among these problems are how to maximize the use of controller 
and switch resources to implement mitigation policies, how to decrease the mitigator's response time, how to 
acquire a scalable solution, etc. 
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